[domain/example.com] ... ldap_user_extra_attrs = mail
This topic builds upon Setting up SSSD for LDAP Failover and Configuring Form-Based Authentication and focuses on configuring extended Lightweight Directory Access Protocol (LDAP) attributes.
SSSD 1.12.0 or later. This is available on Red Hat Enterprise Linux 7.0 and later.
mod_lookup_identity 0.9.4 or later.
The required version is not yet available on any version of Red Hat Enterprise Linux. However, compatible packages (RPMs) are available from upstream until they arrive in Red Hat Enterprise Linux.
You need to ask System Security Services Daemon (SSSD) to look up attributes in LDAP that it normally does not care about for simple system-login use-cases. In the case of OpenShift Container Platform, there is only one such attribute: email. So, you need to:
Modify the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf on the authenticating proxy and add this attribute:
[domain/example.com] ... ldap_user_extra_attrs = mail
Tell SSSD that it is acceptable for this attribute to be retrieved by Apache. Add the following two lines to the [ifp] section of /etc/sssd/sssd.conf:
[ifp] user_attributes = +mail allowed_uids = apache, root
Restart SSSD:
# systemctl restart sssd.service
Test this configuration.
Now that SSSD is set up and successfully serving extended attributes, configure the web server to ask for them and to insert them in the correct places.
Enable the module to be loaded by Apache. To do so, modify /etc/httpd/conf.modules.d/55-lookup_identity.conf and uncomment the line:
LoadModule lookup_identity_module modules/mod_lookup_identity.so
Set an SELinux boolean so that SElinux allows Apache to connect to SSSD over D-BUS:
# setsebool -P httpd_dbus_sssd on
Edit /etc/httpd/conf.d/openshift-proxy.conf and add the following lines inside the <ProxyMatch /oauth/authorize> section:
<ProxyMatch /oauth/authorize> AuthName openshift LookupOutput Headers (1) LookupUserAttr mail X-Remote-User-Email (1) LookupUserGECOS X-Remote-User-Display-Name (1) RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER </ProxyMatch>
1 | Added line. |
Restart Apache to pick up the changes:
# systemctl restart httpd.service
Tell OpenShift Container Platform where to find these new attributes during login. To do so:
Edit the /etc/origin/master/master-config.yaml file and add the following lines to the identityProviders section:
identityProviders: - name: sssd challenge: true login: true mappingMethod: claim provider: apiVersion: v1 kind: RequestHeaderIdentityProvider challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}" loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}" clientCA: /home/example/workspace/openshift/configs/openshift.example.com/proxy/proxyca.crt headers: - X-Remote-User emailHeaders: (1) - X-Remote-User-Email (1) nameHeaders: (1) - X-Remote-User-Display-Name (1)
1 | Added line. |
Launch OpenShift Container Platform with this updated configuration and log in to the web as a new user.
You should see their full name appear in the upper-right of the
screen. You can also verify with oc get identities -o yaml
that both email
addresses and full names are available.
Currently, OpenShift Container Platform only saves these attributes to the user at the time
of the first login and does not update them again after that. So, while you are
testing (and only while testing), run oc delete users,identities --all
to
clear the identities out so you can log in again.